After two years of development, ISC released the first stable version of a new major branch of the server DNS BIND 9.18 which will be supported for three years until the second quarter of 2025 as part of an extended maintenance cycle.
Support for the 9.11 branch will end in March and the 9.16 branch in mid-2023. An experimental branch of BIND 9.19.0 has been formed to develop functionality for the next stable version of BIND.
The launch of BIND 9.18.0 stands out for implementing support for DNS technologies over HTTPS (DoH, DNS over HTTPS) and DNS over TLS (DoT, DNS over TLS), as well as the XoT mechanism (XFR-over-TLS for secure transmission of DNS content over TLS zones between servers (send and receive zones are supported via XoT).
With proper configuration, a single named process can now serve not only traditional DNS queries, but also queries sent using DNS over HTTPS and DNS over TLS. Support for the DNS over TLS client is built into the dig utility, which can be used to send queries over TLS when the "+tls" flag is specified.
Among the features of the DoH implementation in BIND, highlights the possibility to transfer encryption operations for TLS to another server, which may be necessary in conditions where TLS certificates are stored in another system (for example, in an infrastructure with web servers) and serviced by other personnel. Support for unencrypted DNS over HTTP is implemented to simplify debugging and as a layer for forwarding to another server on the internal network (to move encryption to a separate server). On a remote server, nginx can be used to generate TLS traffic, similar to how HTTPS binding is arranged for sites.
Main novelties of DNS BIND 9.18
In this new version that is presented we can find that settings were added tcp-receive-buffer, tcp-send-buffer, udp-receive-buffer, and udp-send-buffer to set the buffer sizes used when sending and receiving requests over TCP and UDP. On busy servers, increasing incoming buffers will prevent packet drops at the time of traffic spikes and reducing them will help eliminate memory clogging with old requests.
Another change that stands out is that added a new category of logs “rpz-passthru”, that allows separately registering the forwarding actions of RPZ (Response Policy Zones), in addition to added “nsdname-wait-recurse” option to response policy section, when set to "no", RPZ NSDNAME rules are applied only if authoritative nameservers are present in the cache for the request; otherwise, the RPZ NSDNAME rule is ignored, but the information is retrieved in the background and applied to subsequent requests.
To address issues with IP fragmentation when handling large DNS messages, identified by the DNS Flag Day 2020 initiative, the code that adjusts the size of the EDNS buffer in case a query is not answered it was removed from the resolver. EDNS buffer size is now set constant (edns-udp-size) for all outgoing requests.
Besides it removed support for zone files in "map" format (map in master file format). Users of this format are recommended to convert the zones to raw format using the named-compilezone utility.
Of the other changes that stand out:
- For records with types HTTPS and SVCB, processing of the "ADDITIONAL" section is implemented.
- Added custom update policy types (krb5-subdomain-self-rhs and ms-subdomain-self-rhs) to restrict updates to SRV and PTR records. In the update policy blocks, the ability to set limits on the number of records, separate for each type, has also been added.
- Added information about transport protocol (UDP, TCP, TLS, HTTPS) and DNS64 prefixes to the output of the dig utility.
- Added support for the OpenSSL 3.0 library.
- The build system has been changed to use autoconf, automake, and libtool.
- Removed support for previous DLZ (dynamically loadable zones) controllers and replaced with DLZ modules.
- Removed build and run support for the Windows platform. The latest branch that can be installed on Windows is BIND 9.16.
Finally If you are interested in knowing more about it, you can check the details in the following link